CVE-2019-12274
published 2019-06-06CVE-2019-12274: In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver…
PriorityP346high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
1.14%
62.7th percentile
In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 0 < 1.6.27 | 1.6.27 |
| github.com | rancher_rancher | >= 2.0.0 < 2.2.4 | 2.2.4 |
| github.com | rancher_rancher | >= 2.0.0+incompatible < 2.2.4+incompatible | 2.2.4+incompatible |
| suse | rancher | 1.0.0 – 1.6.28 | — |
| suse | rancher | 2.0.0 – 2.2.3 | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher
osv·2024-08-20
CVE-2019-12274 Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher
Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher
Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher
GHSA
Rancher Privilege Escalation Vulnerability
ghsa·2022-05-24
CVE-2019-12274 [HIGH] CWE-668 Rancher Privilege Escalation Vulnerability
Rancher Privilege Escalation Vulnerability
In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
OSV
Rancher Privilege Escalation Vulnerability
osv·2022-05-24
CVE-2019-12274 [HIGH] Rancher Privilege Escalation Vulnerability
Rancher Privilege Escalation Vulnerability
In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://forums.rancher.com/c/announcementshttps://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466https://forums.rancher.com/c/announcementshttps://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466
2019-06-06
Published